CVE-2026-2460 is a vulnerability identified in Hitachi Energy's Relion REB500, specifically version 8.0.0.0. The issue arises from a misconfiguration or design flaw in the privilege definitions associated with the DAC protocol, which governs access control to directories within the system. Authenticated users with low-level privileges can exploit this flaw to access and alter directory contents beyond their authorized scope. This is classified under CWE-267, indicating that privileges are defined with unsafe actions, allowing unauthorized operations. The vulnerability does not require user interaction but does require the attacker to be authenticated with low-level access, which lowers the barrier compared to higher privilege exploits but still requires initial access. The CVSS 4.0 vector indicates network attack vector (AV:N), high attack complexity (AC:H), no privileges required beyond low-level (PR:L), no user interaction (UI:N), and high impact on confidentiality and integrity (VC:H, VI:H) but no impact on availability or authentication bypass. No patches or known exploits are currently available, but the vulnerability poses a significant risk due to the potential for unauthorized data manipulation within critical energy infrastructure systems. The flaw could be exploited by insiders or external attackers who have gained low-level access, enabling privilege escalation or unauthorized data tampering, which could disrupt operations or compromise sensitive information.

The vulnerability could have severe consequences for organizations operating critical infrastructure, particularly in the energy sector where Hitachi Energy's Relion REB500 is deployed. Unauthorized access and modification of directory contents can lead to data integrity issues, potentially causing incorrect system behavior or operational disruptions. Confidentiality breaches may also occur if sensitive configuration or operational data is accessed or altered. Given the product's role in energy management and protection relays, exploitation could impact grid stability, leading to cascading failures or outages. The requirement for low-level authentication means attackers must first gain some access, but once inside, they can escalate privileges or manipulate critical data, increasing insider threat risks. The absence of known exploits suggests limited current exploitation, but the high CVSS score and critical nature of the product warrant urgent attention. Organizations worldwide relying on this product for energy infrastructure protection face risks of operational disruption, regulatory non-compliance, and reputational damage if the vulnerability is exploited.

Immediate mitigation should focus on restricting access to the Relion REB500 systems to trusted personnel only, enforcing strict network segmentation and access controls to limit exposure. Organizations should implement robust authentication mechanisms and monitor for unusual access patterns indicative of privilege abuse. Since no patches are currently available, consider disabling or restricting the DAC protocol usage where feasible or applying compensating controls such as enhanced logging and alerting on directory access attempts. Conduct thorough audits of user privileges to ensure no unnecessary low-level access is granted. Collaborate with Hitachi Energy for timely updates or patches and apply them as soon as they become available. Additionally, implement intrusion detection systems tailored to detect anomalous behavior on these devices. Regularly review and update incident response plans to include scenarios involving privilege escalation within critical infrastructure devices.